510 likes | 670 Views
Application Security Models for Mobile Agent Systems. The 1 st International Workshop on Security and Trust Management (STM’05) Sept 15, 2005 Milan, Italy. Department of Computer Science Florida State University. J. Todd McDonald Alec Yasinsac. Overview. Motivation
E N D
Application Security Models for Mobile Agent Systems The 1st International Workshop on Security and Trust Management (STM’05) Sept 15, 2005 Milan, Italy Department of Computer Science Florida State University • J. Todd McDonald • Alec Yasinsac
Overview • Motivation • Defining mobile agent trust • Defining trust-enhanced security • Defining application security models • Military model • Trade model • Neutral-services model • Questions
Motivation • Defining Security • Requirements = Confidentiality, integrity, authentication… • Mechanisms = Enforce security requirements • Defining Trust • Subjective non-Boolean expectation of behavior • Non-reflexive, changing, context-driven • Acquired or delegated • Using Trust with Mobile Agent Security • Consider all mobile agent principals • Link requirements to mechanisms • Reason about trust for generic mechanisms • Initialize trust model based on context
Overview • Motivation • Defining mobile agent trust • Defining trust-enhanced security • Defining application security models • Military model • Trade model • Neutral-services model • Questions
Agent Host Code developer Application owner Host manager PRINCIPALS TRUST RELATIONSHIPS Defining Mobile Agent Trust
Defining Mobile Agent Trust • Hosts and Agents • ax→ EH[i] • EH[i] → ax • ax→ TH[i] • TH[i] → ax • DH → ax • ax → DH • ax→ ay • People to Hosts/Agents • AO → CD • AO → DH • AO → EH[i] • CD → AO • CD → DH • CD → EH[i] • DH → CD • DH → AO • EH[i]→ CD • EH[i]→ AO • Dispatching/ Execution Hosts • DH → EH[i] • EH[i] → DH • EH[i]→ EH[j] • Trusted Hosts • DH → TH[i] • TH[i] → DH • EH[i] → TH[j] • TH[j] → EH[i] • TH[i]→ TH[j]
Defining Mobile Agent Trust • Simplifying Assumptions • A ≈ CD • Agents are UNIQUE INSTANCES of agent code • Code developers write agent code • DH ≈ AO • Applications owners use agent code • The host that dispatches an agent • The user that owns the application • HM ≈ Host owner, systems manager, user • All aspects of physical execution environment
Overview • Motivation • Defining mobile agent trust • Defining trust-enhanced security • Defining application security models • Military model • Trade model • Neutral-services model • Questions
Security Requirements + Mechanisms • Idea: • use stronger mechanisms for less trusted/unknown principals • weaker mechanisms for more trusted/known principals • Corollary: • application environment determines trust levels • trust levels dictate initial security requirements DETECTION PREVENTION Detection of violations alter trust Weaker/less reliable Easier to deploy/implement Trust remains constant Stronger/most reliable Harder to deploy/implement
Execution Tracing (Vigna/Tan-Moreau) Security Requirements + Mechanisms Agent Non-repudiation Host Non-repudiation Agent Execution Integrity Agent State Integrity Agent Code Integrity DETECTION PREVENTION Detection of violations alter trust Weaker/less reliable Easier to deploy/implement Stronger/most reliable Harder to deploy/implement
Execution Tracing (Tan-Moreau) Security Requirements + Mechanisms Agent Availability Host Availability DETECTION PREVENTION Detection of violations alter trust Weaker/less reliable Easier to deploy/implement Stronger/most reliable Harder to deploy/implement
Formalizing Trust Relationships EHO EH AO A CD DH DHO EH EHO What does knowing the true identity of DH do for you?
Defining Trust-Enhanced Security A • Actions decrease trust • Trust affects • Allowed security mechanisms • Itinerary • Policy • Code distribution EH A ? TH DH EH
AO (DH) → EH Code privacy Code integrity State integrity State privacy Agent availability Agent anonymity Host authenticity Host non-repudiation EH → EH State integrity State privacy Host authenticity Host non-repudiation Host anonymity EH → AO (DH) Host data privacy Host anonymity Agent state authenticity Agent non-repudiation EH → A (CD) Agent code safety Host availability Host integrity Agent code authenticity Agent code integrity Requirements Among Principals
Defining Trust-Enhanced Security • Trust in the Agent Life Cycle • Creation/Development: Binding trust to code developer • Ownership: Binding trust to application owner • Dispatching: Binding trust to dispatching host • Execution: Binding trust to prior hosts + dispatcher • Migration: Binding trust to next host • Termination: Binding trust of application result to entire set of execution hosts + network
Defining Trust-Enhanced SecurityApplication Owners Acquire Trust Regarding Executing HostsExecutingHosts Acquire Trust Regarding Application Owners [DH] { PAST EH } [ CURRENT EH ] { FUTURE EH} [DH] Application 1 INITIAL TRUST TRUST ACQUISITION → FINAL TRUST [DH] { PAST EH } [ CURRENT EH ] { FUTURE EH} [DH] Application 2 INITIAL TRUST TRUST ACQUISITION → FINAL TRUST
Defining Trust-Enhanced Security • Trust decisions for agent • Which security mechanism do I require? • Which hosts can I migrate too? • Which code parts can I distribute? • Trust decisions for host • Which security mechanism do I use? • Do I allow agent access to resource X? • Do I authorize agent to do Y? • Do I share my policy information?
Defining Trust-Enhanced Security AO AO EH EH A A CD CD F = K L = ND T = S F = UK L = ND T = E Before migration? Decision is whether or not to MIGRATE to the host At host? Decision is whether or not to EXECUTE on host
Defining Trust-Enhanced Security • Trusted Third Parties (Trusted Hosts) • Increase/decrease trust among one or more principles • Based on their services: • Allow hosts to trust agents more/less • Allow agents to trust hosts more/less • Allow hosts to trust other hosts more/less • May provide implementation or PART of a particular security mechanism
Overview • Motivation • Defining mobile agent trust • Defining trust-enhanced security • Defining application security models • Military model • Trade model • Neutral-services model • Questions
Defining Application Security Models • Essence of Military Model • “Maginot” line • Dispatching Hosts Executing Hosts • Trusted Hosts ≠ • Only “known” principles allowed • Static (ordered/unordered) itineraries • “Centralized” management domain • Overarching management of code • Members of C (codebase) known a priori • Safety of C (codebase) evaluated a priori • Single and multiple agent applications
Defining Application Security Models Military Model • HT = Highly trusted • T = Trusted • ND = Non-determined • U = Untrusted • HU = Highly untrusted • k = Known • uk = Unknown
Defining Application Security Models • Variance of StrongMilitary Model • ALL execution hosts are equipped with tamper-proof hardware • Have equivalent trust levels as that of trusted host (highly trusted)
Defining Application Security Models • Essence of Trade Model • E-commerce: buyers/sellers • Dispatching Hosts ∩Executing Hosts = • Trusted Hosts = • Unknown principles • Dynamic and static itineraries • Single agent applications • No infrastructure for code management • Members and safety of C (codebase) not known a priori
Defining Application Security Models Trade Model • HT = Highly trusted • T = Trusted • ND = Non-determined • U = Untrusted • HU = Highly untrusted • k = Known • uk = Unknown
Defining Application Security Models • Essence of Neutral Services Model • Databases: One-of-many service providers • Dispatching Hosts ∩Executing Hosts = • Trusted Hosts ≠ OR Trusted Hosts = • Communities of “unknown” principles with common trust levels • Static or dynamic itineraries • Single and multiple agent applications
Defining Application Security Models Neutral Services Model • HT = Highly trusted • T = Trusted • ND = Non-determined • U = Untrusted • HU = Highly untrusted • k = Known • uk = Unknown
Related Works • Trust: Distributed, Decentralized, Ad-hoc • Gambetta (1990) • Yahalom, Klein, Beth (1993) • Rasmusson and Jansson (1996) • Blaze, Feigenbaum, Lacy (1996) • Grandison and Sloman (2000) – Survey • Kagal et al. (2001) • Cahill et al. (2003) • Capra (2004) • Burmester and Yasinsac (2004)
Related Works • General mobile agent security • McDonald, Yasinsac, Thompson (2005) • Claessens, Preneel, Vandewalle (2003) • Bierman and Cloete (2002) • Jansen & Karygiannis (2000) • Chess (1998) • Mobile agent security and trust • Tripathi, Ahmed, Karnik (2001) • Tan and Moreau (2001) • Robles & Borrell (2002) • Patrick (2002) • Lin et al. (2004)
Formalizing Trust Relationships • Trust notions: • peer / collaborative / trusted / honest • competitive / malicious / adversarial • neutral • not trusted • but not dishonest
Formalizing Trust Levels • Trust notions • Unidirectional: The trust one way is not necessarily the corresponding trust the other way • Limited: Specific only to a given security objective (you could be trustworthy in one respect but not another) • Specific: Trust can encompass entire sets of agents/hosts or deal with specific hosts and specific agents and specific people • Goal: Given initial trust relationships, derive new ones according to rules
Formalizing Trust Relationships • Initial Assumptions for Principles • 1..* Agents (A) ≈ Code Developer (CD) • 1 Dispatching Host (DH) ≈ Application Owner (AO) • Servers ≈ Server Owner/Manager • Agents are uniquely identifiable
The Trust Algorithm AO A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host EH EH F = K L = ND T = S
The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host EH DH F = K L = ND T = S TRUST TUPLES
The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host DH TH TRUST TUPLES
The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host TH TH TRUST TUPLES
The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host TH EH TRUST TUPLES
The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host EH TH TRUST TUPLES
The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host EH DH TRUST TUPLES
Formalizing Trust Relationships [Principle] [Trust Level] → [Foreknowledge] [Principle] [Timeliness] with (O) • P = { p1, p2 }: p1, p2 { DH | EH | TH | A } • F = { K | UK } • K = known, UK = unknown • Associate? Acquaintance? Third-hand? • TL = { HT | T | UK | U | HU } • HT = Highly trusted • T = Trusted • UK = Unknown • U = Untrusted • HU = highly untrusted • O: Security Objective • Set of 1 or more?
Defining Mobile Agent Trust • Trustworthiness of the agent code might be expressed in terms of three requirements: • Authentication of the code’s designer and the code’s identity • Integrity verification that code received is the same as code transmitted by an application owner • Probabilistic proofs that code meets some predefined security policy or safety requirements
Defining Mobile Agent Trust EHO EH AO A CD DH DHO EH EHO
Requirements Among Principals • EH → AO (DH) • Host data privacy • Host anonymity • Agent state authenticity • Agent non-repudiation
Requirements Among Principals • EH → A (CD) • Agent code safety • Host availability • Host integrity • Agent code authenticity • Agent code integrity
Requirements Among Principals • EH → EH • State integrity • State privacy • Host authenticity • Host non-repudiation • Host anonymity
Defining Mobile Agent Trust • Hosts and Agents • ax→ EH[i] • EH[i] → ax • ax→ TH[i] • TH[i] → ax • DH → ax • ax → DH • ax→ ay
Defining Mobile Agent Trust • People to Hosts/Agents • AO → CD • AO → DH • AO → EH[i] • CD → AO • CD → DH • CD → EH[i] • DH → CD • DH → AO • EH[i]→ CD • EH[i]→ AO Application Owner = AO; Code Developer = CD